httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: [vote] release 2.2.15?
Date Wed, 03 Mar 2010 18:31:36 GMT
William A. Rowe Jr. wrote:
> On 3/3/2010 11:50 AM, Stefan Fritsch wrote:
>> On Wednesday 03 March 2010, Mladen Turk wrote:
>>> BTW, I wouldn't recommend to compile against 0.9.8m.
>>> openssl s_client < 0.9.8m block on renegotiation
>> Have you only tried 0.9.8l as client? It has a known bug with 
>> renegotiation that makes it hang instead of fail.
>> I have no problems with 0.9.8c and 0.9.8g (from Debian 4.0 and 5.0). 
>> If SSLInsecureRenegotiation is on, it works. If 
>> SSLInsecureRenegotiation is off, I get an "sslv3 alert handshake 
>> failure".
> And the bug is specific to openssl < 0.9.8m mishandling the alert; it will
> neither abort nor resume the prior session, so it is left to timeout.  You
> may want to contrast this behavior to legacy IE, Firefox, etc.
> Attached is one suggestion of a workaround.

If I understand the code correctly it looks like Apache is already trapping and
aborting client initiated renegotiations so this "hang" situation shouldn't arise.

Note that you don't need to abort if secure renegotiation is supported by the

Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute:
OpenSSL Core team:

View raw message